On 05/23/2018 11:27 AM, ilf wrote: > tl;dr: Keep calm and keep running keyservers. > > Vincent Breitmoser: >> (cross-posting on all the cool pgp lists) > > (I wonder, if this really needs to be an all the four lists. I think > sks-devel@ might be the most appropriate. Having said that, I'm only > replying to gnupg-devel@ because I'm not subscribed to sks-devel@. Feel > free to relay my message.)
As I think this has a valuable viewpoint I'm posting it to sks-devel. And yes, this is mostly in line with my own thinking, I don't expect the need for radical changes unless we see actual attempts to go after the infrastructure. > >> My personal conclusion is that keyservers that support user id packets >> are, quite simply, incompatible with GDPR law. > > There is a ton of FUD about the GDPR out there right now. Most of it > frivolous. (Actually, a lot of it is deliberate fearmongering by people > who happen to sell legal advice on the GDPR.) > > First of all, the GDPR is not completely new. All EU member states > already have data protection laws, some - like Germany - already very > strong ones. The concepts (PII, responsibilities, technological and > organisational measures, information and documentation obligations) have > already been in place with the old Data Protection Directive from 1995, > which the GDPR is updating. I admit that the GDPR can be read and > interpreted in a fatalist way. But most people leaning that way seem to > not have read the older laws. > > Laws are not set in stone. Laws include leeways, deliberate or > unintended. Laws do not depend on their interpretation by laypeople. > There is a huge dedicated system for its interpretation, conflict > resolve, judgement and enforcement. > > In the case of the GDPR, the very first step of that system are National > Data Protection Authorities (DPA). They have the power - and the > responsibility - to investigate possible violations of the GDPR. They > have been understaffed for years, in many countries dangerously so. They > are getting a lot more powers and responsibilities with the GDPR, but > their resources are growing way slower than their tasks. They are simply > understaffed and overworked. So from all the possible GDPR violations > they will be notified about, they will work off the biggest and most > obvious ones first. Their focus will be on the Facebooks - and not on > small nerd projects or personal websites. They have the power to say "we > don't care about this weird thing called keyserver" - and the probably > will. > > Now even if someone found data protection law infringements with a > keyserver, filed a specific and well-worded legal complaint with a DPA, > and a DPA found the resources to look into it, and the DPA found some > violation of the GDPR (four big IFs!) - the DPAs will not go around and > issue sanctions and fine people. First of all, their job is not to > generate revenues by fines. Their job is to enforce data protection law. > If a DPA did find an issue with a keyserver - or the very concept - they > would reach out and talk to the people running the servers. They would > hear their perspective, learn more about the very concept - and try to > work out a viable solution to provide the service without possible data > protection infringements. This is their job and their goal. > > The most feared sanction of some undefined GDPR violation is a fine. As > I layed out, DPAs don't want to issue fines, they want to stop privacy > violations. And they will not blindly issue a fine without talking to > you first. That being said, they obviously do have the power to issue > fines. After due process. However, this power is also not new, it has > also existed in many countries. And DPAs don't run around and fine > people left and right (you would have heard about that), they exercise > their power in a balanced way. And fines are always in relation to the > economic and personal circumstances of the - then guilty and obstinate - > data protection violators. I guess most keyservers are run by > non-profit individuals or institutions. Even if a company runs a > keyserver, it doesn't make money with that service. Therefore, I think > the chance of *any* fine is negligible - and the chance of an > unreasonably high fine is almost zero. And if it ever came to this, the > community and public alarmed by public outcry would probably donate more > than the fine issued. > > To sum up: Keep calm and keep running keyservers. You'll be fine. > > More elaboration in German: > https://netzpolitik.org/2018/bussgelder-bei-datenschutzverstoessen-angst-vor-einem-phantom/ > > > Disclaimer: IANAL. This is not legal advice. > > > > _______________________________________________ > Gnupg-devel mailing list > gnupg-de...@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-devel > -- ---------------------------- Kristian Fiskerstrand Blog: https://blog.sumptuouscapital.com Twitter: @krifisk ---------------------------- Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 ---------------------------- "I disapprove of what you say, but I will defend to the death your right to say it." Evelyn Beatrice Hall (summarizing Voltaire
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel
